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Abstract 

Our task of quantum list decoding for a classical 
block code is to recover from a given quantumly cor- 
rupted codeword a short list containing all messages 
whose codewords have high "presence" in this quan- 
tumly corrupted codeword. All known families of ef- 
ficiently quantum list decodable codes, nonetheless, 
have exponentially-small message rate. We show that 
certain generalized Reed-Solomon codes concatenated 
with Hadamard codes of polynomially-small rate and 
constant codeword alphabet size have efficient quan- 
tum list decoding algorithms, provided that target 
codewords should have relatively high presence in a 
given quantumly corrupted codeword. 

Keywords: error-correcting code, quantum list de- 
coding, quantum computation, quantumly corrupted 
codeword 

1 Introduction 

Classical list decoding, which was rooted in the late 
f950s by Elias |3] and Wozencraft JT%1 - has drawn 
significant attention since Sudan's |I 5| discovery of 
an efficient list decoding algorithm for Reed-Solomon 
codes beyond its "traditional" error-correction radius. 
List decoding has since then found useful applications 
to cryptography as well as complexity theory (see, 
e.g., a survey article 

Quantum list decoding dealing with classical block 
codes first arose in connection to quantum hardcore 
function s in a seminal paper by Kawachi and Ya- 
makami ^21 (following an early result of Adcock and 
Cleve £Q on biased oracles) in the so-called implicit- 
input explicit- output model, in which we wish to out- 
put a list of messages with oracle access to a quan- 
tum encoding procedure which produces a quantum 
superposition of corrupted codewords. This model 
differs from the conventional error-correction model 
between a sender and a receiver through a noisy chan- 
nel. In contrast, we are given a (possibly) faulty quan- 
tum algorithm (known as a quantum- computationally 
corrupted codeword or quantumly corrupted codeword) 
which encodes a classical message to a certain quan- 
tum state representing a quantum corruption of the 
correct codeword. It is in general hard to recover the 
original message from such a quantumly corrupted 
codeword; however, we may be able to produce a rea- 
sonably small list that contains all messages whose 
codewords are close proximity to the given quantumly 
corrupted codeword. This closeness is scaled by the 
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notion of presence, which expresses the average prob- 
ability of obtaining each block of the target codeword 
from the quantumly corrupted codeword. (See |12| 
for an intuition behind this notion.) This is the pri- 
mary purpose of quantum list decoding. A natural 
question is: what types of classical block codes are 
efficiently quantum list decodable? 

There are known families of block codes that are 
efficiently quantum list decodable with arbitrary pres- 
ence. The first known example is Hadamard codes. In 
classical list decoding, Goldreich and Levin jS] showed 
the classical list decodability of the binary Hadamard 
codes and subsequently Goldreich, Rubinfeld, and Su- 
dan [S] gave a general list decoding algorithm for the 
g-ary Hadamard codes. Concerning quantum list de- 
coding, Adcock and Cleve [Tj essentially proved that 
the binary Hadamard codes are quantum list decod- 
able in polynomial time. For the g-ary Hadamard 
codes, a fast quantum list decoding algorithm was re- 
cently given by Kawachi and Yamakami |f 2) . They 
also presented two additional quantum list decod- 
able codes: shifted Legendre symbol codes and pair- 
wise equality codes. All these codes, nonetheless, have 
exponentially- small rate, where the (message) rate of 
a code is a ratio of message length and codeword's 
block length. 

This paper is motivated by the question of whether 
there exists a family of efficiently quantum list decod- 
able codes of polynomially-small rate and constant 
codeword alphabet size, because such a code family 
finds useful applications to quantum complexity the- 
ory (an example will be seen in Section EJ. Natu- 
ral candidates are well-studied Reed-Solomon codes. 
They have relatively large rate; however, they usu- 
ally have large alphabet size. A standard way to 
build a code of large rate but small alphabet size is to 
concatenate two codes of good properties. We claim 
that concatenating generalized Reed-Solomon codes 
with Hadamard codes gives the desired codes, assum- 
ing that the generalized Reed-Solomon codes are effi- 
ciently quantum list decodable. This claim is proven 
by employing in Section|3|a technique of constructing 
a "quantum reduction" between two quantumly cor- 
rupted codewords. Note that this technique requires 
no soft information, which is a key ingredient in the 
classical case of |H] ■ 

Are the generalized Reed-Solomon codes efficiently 
quantum list decodable? A direct and simple ap- 
proach toward their quantum list decoding is an ap- 
plication of the polynomial reconstruction algorithm 
of Guruswami and Sudan 7 . When codeword pres- 
ence in a quantumly corrupted codeword is relatively 
high, we can show in Section 0] how to construct 
a quantum list decoding algorithm for the general- 
ized Reed-Solomon codes. As the presence becomes 
lower, however, it seems harder to solve efficiently 
the quantum list decoding problem for the generalized 
Reed-Solomon codes, because its efficient list decod- 



ing leads to the unexpected consequence that every 
NP-problem can be efficiently solved on a quantum 
computer with high success probability. There is also 
a direct connection between quantum list decodabil- 
ity of the generalized Reed-Solomon codes and quan- 
tum solvability of two classical problems : th e noisy 
polynomial interpolation problem (NPIP) \1'6\ and the 
bounded distance vector problem (BDVP). 

To a certain type of application, our quantum list 
decoding algorithm for the aforementioned concate- 
nated code is still applicable. Our example is the 
QCMA search problem, in which we want to find a 
classical witness of polynomial size that forces a given 
polynomial-time quantum algorithm to accept with 
high probability. We show in Section that solving 
this search problem on average implies solving it in 
worst case. 

Finally we make a brief discussion on the notion of 
local quantum list decoding based on an implicit-input 
implicit-output model where an outcome of a list de- 
coder is a list of descriptions of quantum cir cuit list- 
decoders. Similar to the classical case of ^7|, we can 
apply our quantum list decoder for the generalized 
Reed-Solomon codes to do local quantum list decod- 
ing for Reed-Miiller codes from quantumly corrupted 
codewords. As an immediate consequence, we can 
prove the so-called hardness amplifi cati on of quantum 
circuits, following the argument of |17j . 

2 Foundations of Quantum List Decoding 

This section explains basic notions and notation con- 
cerning quantum list decoding. Throughout this pa- 
per, let N denote the set of all nonnegative inte- 
gers and set N + = N — {0}. For any positive in- 
tegers m,n with m < n, let [m, n]z denote the set 
{m, m+1, m + 2, . . . , n} and let [n] be short for [1, n]z 
if n > 1. 

2.1 Classical Block Codes 

We briefly explain classical block (error-correcting) 
codes, which are objects of our interest. Roughly 
speaking, a code is a set of strings of the same length 
over a finite alphabet £ and each string of a code 
is indexed by a message and is called a codeword. 
In this paper, we are mostly focused on a family of 
codes, each of which corresponds to a different mes- 
sage length n in N. Such a code family is in general 
specified by a series (E 

m In-, r n ) of message space £ n , 
index set I n , and code alphabet T n for each message 
length n (which serves as a "basis parameter" in this 
paper). 

As standard in complexity theory, a code C is 
viewed as a function that, for each message length 
n, maps £„ x /„ to r„. Let N(n) = jS^j and q{n) = 
|r„|. It is convenient to assume that £„ = (J^' n ) n 
so that n actually represents the length of messages 
in £„ over the message alphabet E^; in this case, 
n = [log| S , | N(n)~\ for each n £ N. By abbreviating 

C(x,y) as C x {y), we treat C x (-) as a function map- 
ping /„ to r„ and is called a codeword, where the block 
length M(n) of such a codeword is \I n \. For simplic- 
ity, we often assume that /„ = {0, 1, ... , M(n) — 1} 
so that each element of I n can be expressed in 
[log, M(n)] bits. We freely identify C x with the vec- 
tor (C X (0),C X (1), ■■■ , C x (M(n) - 1)) in the ambient 
space (r„) M (") of dimension M(n). We mainly work 
on a finite field and we often regard r„ as the finite 
field ¥ q{n) (= GF( ? (n))) of order q(n). 

The (message) rate of C is defined to be the ra- 
tio n/M(n). The (Hamming) distance d(C x ,C y ) be- 
tween two codewords C x and C v is the number of 



non-zero components in the vector C x — C' y . The 
minimal distance d{C) of a code C is the small- 
est distance between any pair of distinct codewords 
in C. In contrast, A(C x ,C y ) denotes the relative 
(Hamming) distance d(C x ,C y )/M(n). The above- 
described code is simply called a (M(n), n) g ( n ) -code* 
(or (M(n), n, d(n))-code if the minimal distance d(n) 
of the code of message length n is emphasized). We 
may drop a length parameter n from both subscript 
and argument place whenever we discuss a set of code- 
words with a "fixed" n. 

Hadamard Codes HAD. Let n be any message 
length, used as a parameter, and let q be any 
prime number. A g-ary Hadamard code family 
HAD (9) = {HAD (<? ' n) }„ eN consists of {q n ,n,q n - 
g n )q-codes obtained as follows. For each message 
x = (x u x 2 ,...,x n ) in (F,) n , let HAD^ n) (r) = 
YJi=i x ^ T i mod 9, where r = (n,r 2 , ■ ■ ■ ,r„) £ (F g ) n . 

(Normalized) Generalized Reed-Solomon Codes GRS. 

Let q be any prime and let k, n be any positive in- 
tegers with n < k < q. A (normalized) generalized 

Reed-Solomon code family GRS = {GRS (fe '"' 9) }„, fceN 
consists of all (k, n,k — n + l) g -codes obtained as 
follows. Let x — {xi, X2, ■ ■ ■ , x n ) £ (V q ) n be any 
message and let be a set of k distinct elements 

(called code locators) in ¥ q . Let GRS^'"' 9) (r) = 

Si=i x i rl 1 m °d <7 be the polynomial of degree at 
most n — 1 for each r £ Dk ■ 

2.2 Quantumly Corrupted Codewords and 
Codeword Presence 

We are mostly concerned with a quantum corruption 
that occurs during a quantum procedure of encoding 
messages into codewords. The process of such a quan- 
tum corruption can be described as a certain type of 
unitary map. Formally, a quantum- computationally 
corrupted codeword (or quantumly corrupted code- 
word) is a unitary operator O, with two fixed function 
parameters l(n) and m(n) mapping N to N, that sat- 
isfies the following condition: for any three strings 
r £ E™, s £ and t £ ; there exists a unit 

vector \<j) r . z ) of length m(n) such that 

0\r)\s)\t) =J2a r , z \r)\s®z)\t®</> r>z ), 

z 

where the notation \t © 4> r .z) is shorthand for 
J2weT, m ( n )( w \ ( f'r,z)\t © w) and © is the bitwise 

XOR. The presence of codeword C x in O, denoted 
Pre^C;;;), is the average probability of obtaining the 
correct values C x {r) over all indices r £ I n ; namely, 
Pre 6 (C x ) = jjJ2r K,c x (r)| 2 - See [El for an intu- 
ition behind these notions. 

We further expand the notions of presence and dis- 
tance. Let n be any message length. Define W n to be 
the set of all vectors w = (w r>z ) r , z £ [0, 1]?(«) M (") 
(which is viewed as a "measured" quantumly cor- 
rupted codeword) such that J2ze[o q(n)-i] - Wr . z = ^ 
for each index r £ [0,M(n) — 1]%. Notice that 
ErE z w r,« = M(n) for any w £ W n . Next, con- 
sider the set V n of all codewords a = (a r ) r £ 
([0, q(n) — l]z) M ( n \ We embed this codeword a into 
W n in the following way. Define v(a) = ((5r°2) r , z £ 

{0, where 5 ( r $ = 1 if a(r) = z and oth- 
erwise. Moreover, for any code (i.e., a subset of V n ) 

*In some literature, the notation (M(n), T n ) q ^ is used instead. 



C (n \ let u(C(")) = {v(a) \ a £ C^}. Finally, we 
obtain v{V n ) C tf n . 

First, we expand the notion of presence. For any 
a £ V n and any vector w £ W n , define Pre™ (a) = 
Ai\n) ( v ( a )\ w )> where ('I') denotes the standard in- 
ner product. Second, we expand the notion of the 
(Hamming) distance. For any pair v,w £ W n , define 
d(v,w) = M{n) — (v\w). This new definition clearly 
expands the standard notion of the distance d(-, •) be- 
cause, for any a,b £ V n , we have 

d(v(a),v(b)) = M(n) - (v(a)\v(b))) = d(a, b). 

Notice that, for any a £ V n and any vector w £ W n , 



Pre™ (a) = 



M(n) 



= 1 - 



d(v(a), w) 
M(n) ' 



2.3 Presence Versus Minimal Distance 

A relatively good up per bound on the value of 
presence is shown in |12| by following a geomet- 
ric method of Guruswami and Sudan ijf, who 
gave a q-aiy extension of Johnson bound. Let 
C be any (M(n), n, d(n)) q ^ n ycode family with mes- 
sage space £„ and define P q ( n ) (M(n), d(n), e(n)) as 
supq £„ | PreQ(C x ) > e(n)}|}, where "sup" is 

taken over all quantumly corrupted word O for C . 

Lemma 2.1 \Y2\ Let n be any message length. 
Let (s(n), q(n), d(n), M(n)) satisfy the inequal- 
ity e(n) > t(n), where £(n) equals l/q(n) + 

(1 - l/q(n)) ^l-(d(n)/M(n))(q(n)/(q(n)~l)). 
Assume that C is an (M(n),n, d(n)) q ( n ycode family. 
The value P q ^{M{n),d{n),e{n)) is upper-bounded 

by min [m (n)(q(n) - 1), d(n)( ^)^j^l )e(n) }, 

where g(n) = (e(n) — l/q(n)) 2 — (1 — l/q{n)) 2 . 
In case where e(n) = l(n), it holds that 
P q(n) (M(n),d(n),e(n)) < 2M(n)(q(n) - 1) - 1. 

To derive an asymptotic bound from this lemma, 
we introduce QL polv (X), which indicates the min- 
imal possible presence for a family of quantum 
list decodable codes of minimal relative distance A 
having only a polynomial-size message list. Let 
C = {C(")}„ e N be any (M(n),n,d(n)) q ( n yCode fam- 
ily. For each pair w £ W n and e £ [0,1], 
set E(w,e) = {a £ V n \ Pre ul (a) > e}. For 
any n £ N, let presence(C,l)(n) denote min{e £ 

| Vw £ W n [\E(w,e) n CW| < I}} and de- 
fine Pre(C,l) = limsup n {£^£^)M}, More- 

over, for any function set we define Pre(C 7 J-) = 
inii e jr{Pre(C,l)}. For any function I and any 
value A, let QLi(X) = inic:A(c)>\{P re (C, I)} , where 

A(C) = liminf„{A(C("))}. For each constant c £ N, 
let QLP° l y(X) = sup Q QL; a (A), where l a (n) = an c . 
Finally, QLP°^ (A)is set to be limsup^^ QLP ^(A). 
From Lemma 12 . 1 1 follows the next proposition. 

Proposition 2.2 Let A £ [0,1] be any minimal rel- 
ative distance. It holds that QLP ol y(X) > l/q+ (1 - 



1/2 



id thus, 



l/q) (1 - A/(l - l/q) + X/an c (l - l/q)) 
Q L Poly {X ) > l/q + (1 - l/q) (1 - A(l - l/q)) 1 ' 2 . 

Proof. Cons ider the case where the upper bound 
given in Lemma l2.1l is at most an c . For readability, we 
omit the parameter "n" in the following calculation. 



We then obtain the inequality 
d(l-l/q) 



< an c 



d(l-l/q) + Mg 
which is equivalent to 

Mu-iy^-^Wi-iWi 1X2 



q J an 1 - \ q J \ q 

The term |e — l/q\ is thus lower-bounded by 

2\ V2 



d(l-l/g) d(l-l/q) , f 1 _V 



Man c 



M 



Assuming that e > l/q, the proposition follows im- 
mediately from the relation A = d/M. □ 



It is still open whether the equality QiP°^(A) = 
l/q + (1 - l/q) (1 - A(l - l/q)) 1 ' 2 holds. 

2.4 Implicit-Input Explicit-Output Model 

List decoding has been modeled in several different 
ways in the past literature. This paper chiefly uses 
the model that takes quantumly corrupted codewords 
implicitly as an oracle and outputs hidden messages 
explicitly. Upon this implicit-input explicit- output 
model, the quantum list decoding problem (QLDP) 
for a code C is described in the following fashion. 
First, let C be any (M(n), n, d(n)) q ( n ycode family 
with message space E n and let O be any set of quan- 
tumly corrupted codewords for C . Take a bias pa- 
rameter e{n). 

e-QuANTUM List Decoding Problem (e-QLDP) 
for Code C w.r.t. O 

• Input: a message length n and a value l/e(n). 

• Implicit Input: an oracle O £ O representing 
a quantumly corrupted codeword for C. 

• Output: a list of messages including all mes- 
sages x £ £„ that satisfy the inequality 
Pre^C;!;) > l/q{n) + e(n). For convenience, we 
refer to such a list as a valid list for the e-QLDP. 

Our goal is to solve this e-QLDP using quantum 
computation with oracle access to a quantumly cor- 
rupted codeword in O with success probability at 
least S(n), which is given as a confidence parame- 
ter. Now, let us introduce the notion of quantum 
list decoding algorithm that works with bias e and 
confidence 8. 

Definition 2.3 (quantum list decoding) Let C 

be any code family, let s{n) be any bias parameter, 
and let 8{n) be any confidence parameter. A quantum 
list decoding algorithm (or a quantum list decoder) for 
C with bias e and confidence (5 is a quantum algorithm 
A that solves the e-QLDP for C with success proba- 
bility at least 5(n). If A also runs in time polynomial 
in (n, l/e(n), l/6(n)), it is called a polynomial-time 
quantum list decoding algorithm for C. 

The list size of a quantum list decoding algorithm 
refers to the maximal size of a valid list produced by 
the algorithm. 

Remark: In certain applications, list size plays a cru- 
cial role. For instance, if a quantum list decoder pro- 
duces a valid list L with probability at least S(n), it is 
possible to specify a hidden message x uniquely with 



the same success probability with help of "advice" of 
logi E i \L\ size over message alphabet S. 

In the rest of this subsection, we discuss a sim- 
ple connection between one-way functions and the 
QLDPs. To begin with, we introduce the notion of a 
one-way function of the strong form, which we prefer- 
ably call super one-way. 

Definition 2.4 (quantum super one-wayness) 

A function / is called quantum super one-way if (i) 
there exists a polynomial-time quantum algorithm A 
such that ,4|x)|0) = |x)|/(x))|<^r) for a certain quan- 
tum state \4> x ) and (ii) for any positive polynomial p 
and any polynomial-time quantum algorithm B, the 
probability that B\f(x))\<fi x ) outputs x is at most 
l/p(n). 

Remark: The "standard" one-wayness requires that 
B\f(x)) outputs x with negligible probability whereby 
the information \<j) x ) is hidden from the adversary B 
who tries to invert /. Our new notion indicates that 
B hardly outputs x even though \<fi x ) is given besides 
f(x) as supplemental information. 

A typical example of a quantum super one-way 
function is a quantum one-way permutation because, 
for a permutation, we can replace 1^) in Definition 
12.41 with |0 m ) by uncomputing a deterministic proce- 
dure that computes f{x) from x. 

Lemma 2.5 No polynomial-time quantum list de- 
codable code with poly nomially- small confidence is 
quantum super one-way. 

Proof. Let / be a quantum super one-way function 
with its length function m(n) <E nP^ (i.e., |/(x)| = 
m(|x|)). Consider an (m(n), n, d(ri)) q r n )-code C and 
let C x (r) denote the rth bit (f(x)) r of /(x). 

Take a polynomial-time quantum algorithm A 
computing C and assume that _4|x)|r)|0 m (™>)|0 m ) = 
\ x )\ r )\C x {r))\4> x ) for a certain quantum state \<fi x ). 

Fix x arbitrarily and define 0|r)|s)|t) = \r)\s © 
C x {r))\t@ <f> x ) for each pair (s, t) of strings. Toward a 
contradiction, assume that C has a polynomial-time 
quantum list decoder B with polynomially-small con- 
fidence. Without loss of generality, we can assume 

that Prob e [B° (0") = x] > 1 /pin) for a certain fixed 
positive polynomial p. Convert this B to an algo- 
rithm that inverts / as follows. On input \f(x))\<fi x ), 
where y € range(/), run B. Whenever B makes an 
oracle call with a query |r)|s)|f), generate its answer 
\r)\s © (f(x)) r )\t © 4> x ) from the input information. 
Finally, output an outcome of B. This implies that / 
is not quantum super one-way, a contradiction. □ 



3 Codes of Polynomially-Small Rate 

A family of polynomial-time classical list decodable 
codes of polynomially-small rate and binary codeword 
alphabet finds numerous applications in the fiel ds of 
cryptography and complexity theory (see, e.g., 
Since all known efficiently quantum list decodable 
code families have exponentially-small rate, it is natu- 
ral to ask whether there is any quantum list decodable 
code of polynomially-small rate and small alphabet 
size for any given bias parameter. 

3.1 Concatenated Codes 

A standard way of building a family of classical block 
codes of polynomially-small rate and small codeword 
alphabet size is to concatenate two codes of good 



properties: for instance, a generalized Reed-Solomon 
code and a Hadamard code. We can build a similar 
code under the assumption that the generalized Reed- 
Solomon codes are efficiently quantum list decodable 
for a certain bias value. 

We first explain Forney's 0] notion of concatenated 
codes. Let us consider two codes and such 
that is an (Mi, n%, di) 9 »«2-code and is an 
(M2, ri2, (fe^-code. Let x — (x±,X2, ■ ■ ■ ,x ni ) be any 
message of length ni, where each Xi is taken from 
S" 2 over a q- letter alphabet E. Since Xi can be ex- 
pressed as a 712-letter string, x can be viewed as a 
string of total length n^n-i over a q- letter alphabet. 
The code C = C% C\, given by the inner code 
concatenated with the outer code is defined 
as C{x,r,s) = (C^ (x,r), s). This concatenated 
code C is an (MiM 2 , 774712, d) g -code, where d satisfies 
d > d\d2, where d\d2 is called the design distance. 

For our purpose, we choose the concatenated code 
C GRS - H [n,q,d] explained in 0. 

Concatenated Code C GRS ' H [n, q, 9]. This is the 
concatenated code obtained by a certain general- 
ized Reed-Solomon code as an outer code with a 
Hadamard code as an inner code. Following we 
choose three parameters (q, n, 9) with n, q £ N and 
9 £ [0,1] such that n > 1, q > 2, n = mq m 9, and 
q m £ N for a certain number m £ N. Here, we 
use the (q m , q m 9, (1 - 9)q m + l) qm generalized Reed- 
Solomon code GRS' 9 ' 9 e ' q •* as an outer code and 
the {q m ,m, (1 - l/q)q m ) q Hadamard code HAD (<? ' m) 
as an inner code. The desired code C s ~ H [n, q, 9] = 

{C GRS-H 

[n, q,9) x } x is the collection of all concate- 
nated codes defined by C GRS ~ H [n, q, 9] x {r, r') — 
HAD^ m) © GRS^™' 9 '" 9 ' 9 " 1 '. This concatenated code 
is a {q 2m ,n,d) q -code, where d > (1 - l/g)(l - 9)q 2m 

(design distance). We have the bound ^ 

m < n, which further implies that q m < g^°Mjg\ ■ 

Therefore, as far as 9 = 0(l/p(n)) and q = 0(2^ n )) 
for a certain polynomial p, q m is upper-bounded by 
0{n 2 p(n) 2 ). 

Now, we claim that C GR [n,q, 9} is quantumly 
list decodable for an appropriate choice of parameters 
(n, q, 9), assuming that the generalized Reed-Solomon 
codes are quantumly list decodable for a specific bias 
parameter. 

Lemma 3.1 Let (q,n,8,m,s,e',5) satisfy the fol- 
lowing conditions: n,m,q G N + , 9, s, s', S € [0, 1], q > 

2, q m 9 € N, n = mq m 9, and e 2 > ^^(q^ 2m + e'). 

If the (q m ,q m 9,(l - 9)q m + l) qm generalized Reed- 
Solomon code has a quantum list decoder with bias 
e' and confidence 8 running in time polynomial in 
(n,q, 1/e', 1/8, 1/6), then C GRS ~ H [n,q,9] has a quan- 
tum list decoding algorithm with bias e and confidence 
8 running in time polynomial in (n,q, 1/8, 1/9). 

In this lemma, the value 8 of the confidence of the 
generalized Reed-Solomon code is transferred to the 
concatenated code C [n, q, 9]. The proof of the 

lemma is given in the subsequent subsection. 

3.2 Quantum Reduction Technique 

For the proof of Lemma 13.11 we wish to construct 
a "quantum reduction" between two quantumly cor- 
rupted codewords. It is useful to describe such a re- 
duction, say, from O to O' , as a quantum algorithm 
that, on each input |r)|s)|t), computes the outcome 



0'|r)|s)|t) by making oracle calls to O. This can be 
seen as a strong form of well-known Turing reduction 
between two languages. 

As a key lemma, we show a general result concern- 
ing the g-ary Hadamard code used as an inner code 
for an arbitrary outer code C. Now, let C be any 
(q m , n) g ™-code, which is treated as a function C(x, r) 
mapping from (¥ qm ) n x (W q ) m to (¥ q ) m . The con- 
catenated code D = HAD^ C therefore satisfies 
that 

D(x, r, s) = C(x,r) ■ s mod q 

for r S (¥ q ) m and s e {¥ q ) m . Our goal is to con- 
struct a quantum reduction between quantumly cor- 
rupted codewords Oc and Od associated with C and 
D, respectively. For any unitary transform U, we con- 
veniently say that a quantum algorithm A realizes U 
if, for any basis state |r), A on input |r) produces the 
state U\r) exactly. 

Wc have the following key lemma on the code D. 

Lemma 3.2 Let C and D be the codes given as 

above and let Od be any quantumly corrupted code- 
word for D. There exist a polynomial-time quantum 
algorithm B and a quantumly corrupted codeword Oc 
for C such that 

2 



1. Pre 



Oc 
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2. B realizes Oc with access to Od as an oracle. 

From the above lemma, Lemma 13 . 1 1 follows easily. 
We quickly sketch its proof. 

Proof of Lemma l3.11 Let (q, n, 9, m, e, e', S) be the 

parameters given in the lemma. For simplicity, write 
M = q m . Assume that the (M, MO, (1 - 6)M + 1) M 
generalized Reed-Solomon code has a polynomial- 
time quantum list decoder A with bias e' and confi- 
dence 6. Let O be any quantumly corrupted codeword 
for C ~ H [n,q, 9}. We want to find all messages x 
that satisfy the inequality Pre {C GRS ~ H [n, q, 9} x ) > 
1/q + e. By Lemma 13.21 we can reduce O to another 
quantumly corrupted codeword Oc for the outer code 
GRS (M,M0M) with the following presence condition: 



Preo(GRSS M ' Me ' M > 



> 



1 



q 2 e 2 



1 1 

M ' (q-1) 3 M 2 ~ M +£ 



where the last inequality follows from the bound s 2 > 
^ q ~qP (1/M 2 + e'). By running a quantum list de- 
coder for the GRS (M ' Me ' M) , we obtain a list that con- 
tains all messages x satisfying ¥m 6 (GRS x MM0 ' M) ) > 
1 /M + e' with the desired probability. □ 

The proof of our key lemma (Lemma 13. 2|) is much 
more involved. We note that a simple approach using 
the following relation 

C x {r) = D x {r, sW)D x (r, ««) ■ • ■ D x (r, S < m >), 

where sW = CP _1 10' _4 , does not give the desired pres- 
ence value for C x . 

Proof of Lemma l3.2l Let C be any (q m , n) gm -codc 

and let D be the concatenated code HAD' 9 -* C. As- 
sume that, for any r,s e (F g ) m , 6 D \r, s)|0)|0 d ) = 



J2ze¥ q a r,s, z \r, s)\z)\(f> rjStZ ). The desired quantumly 
corrupted codeword Oc can be realized by the fol- 
lowing quantum algorithm using Od as an oracle. 

Quantum Algorithm B: 

(1) Starting with |r) |0) |0 d+1 ) (a general case 
is similar), move the last register to the left- 
most location and then generate the state 

(iA/^T)£ feeM |fc}k}|o)|o d >. 

(2) Fix k for the meantime and generate the state 



-m/2 



E s ^\k)\r)\s}\O d ). 



(3) Apply Od to the first three registers. 
This step transforms the previous state into 
^72 J2 s i2ze¥ q a r,s,z\k)\r)\s)\z)\(j) r ^^). 

(4) Encode the content of the fourth register 
into the "phase" together with the information on 
*, i- e -- ■^T, s Y,z^ k q ' Za ^Ak)\r)\s)\z)\^z). This 
process is known as the phase encoding. 

(5) Apply the inverse of Od- The resulted state \ip' k ) 
can be expressed as £) s J2 Z Pk,r,s,z\k)\r)\s)\0)\O d ) + 
|fc)|Afe r ) with certain amplitudes Pkr,sz and a cer- 
tain vector |Afc iT .) whose last two registers contain no 
|0)|0 d ). The amplitude f3k, r ,s,z is calculated as 



k.r.s.z 



((fcKrKsKOKo'lKOz,)- 1 !^) 



i 



Ua z \a r ,sa\ 2 - 



qm/2 1 

Note that g -( 2m + 1 ) < J2 S , Z \Pk,r, s ,z\ 2 < Q~ m because 

/ \ 2 



1 



7 m+l I \ a r,s,z 



2 > <Vb 



/ J |^r,s,z | 
s.z 



< 



E \ ar '' 



Therefore, our state \ip' k ) is written in the form 



r s 



What is the norm of |Afc )r )? Since £ s z \ f3k,r,s,z\ 2 + 
|||Afc ir )|| 2 = 1, the squared norm of \&k,r) satisfies 
l-q~ m < |||A fe , r )|| 2 < i- g -(2"»+D. 

(6) If the last two registers contain |0)|0 d ), multiply 
the content s of the third register by k to obtain k ■ s; 
otherwise, do nothing. Note that k-s is in (F g ) m since 
so is s. 

(7) Similarly, exactly when |0)|0 d ) is in the last 
two registers, apply the inverse Fourier transform 
(F" 1 )™ over ¥ q to the second register. This produces 
the state \^) = E w e(v g )™ 7*,r,» I fc>|r)H|0)|O d ) + 
|fc)|Afe >r ), where jk,r,w is the complex number defined 

1 1 k(z — W-s)\ |9 

by Jk,r,w = L s Lz w ? \OLr, a ,z\ ■ 

(8) Prepare two new registers 



then generate q m l 2 J2we(f ) m \ r )\ w ) so tnat we have 
the state q~ m / 2 T, w e(w„^ \k)\r)\w 
(9) Finally, output the state 



for |Afc, r ) and 

Afc, r ). 



V? 



l =j E E lk,r, w \r)\w)\k)\Q)\Q a 

ke[ q -l] u)G(F 9 )™ 

I y 
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\r)\w)\k)\A 



k,r 



ke[q-i] w£(w q y 
This ends the description of B. 



To complete the proof, we need to evaluate the 
value of the presence of C x in Oc, i.e., Pre^ (C x ) — 

J2re¥ qm ,ke[q-1] ( Ylk,T,C x (r) 1 2 + 9"™ 1 1 I A fc>r ) 1 1 2 ) . 

Note that J2 Z |ov.s,z| 2 = 1 for each pair (r, s). Recall 



that Pre^C-Dx) = 9 2m E r , s6 (F 9 )"> Ks„D x (r, s )| 5 
thus follows that, for each k £ [g — 1], 



It 



fe,r,Cx(r)| 



> 



1 

-,4m 



r£F„ 



^ l Q r,s,_D x (r,;5)| 2 + Xfe 



(Pre^px) +Re(xfc)) 2 + (Mxfe)) 5 



fcCz-lVrvO), ,2 



where X k = 9 m E r , s E,#D.(r,«) ^ 
An argument similar to ^5] shows that, for a certain 
ke[q-l],MXk) > ~^\l~Pre 6 jD x )). Hence, 



~~m Z iTfc.r.C.wl 2 > 



i 



Pre dD (D x )-- 



rGF, 

Therefore, PreQ c (C x ) is lower-bounded by 



1 



9 



1 



g - 1 \g - 1/ \ ~" g/ q" 

This completes the proof of Lemma \'S. 21 



□ 



Lemma 13.21 gives a fast quantum reduction from 
Od to Oc- By contrast, there also exists a quantum 
reduction from Oc to Od with the following condi- 
tions. 

Lemma 3.3 Let Oc be any quantumly corrupted 
codeword for C . There exist a polynomial-time quan- 
tum algorithm A and a quantumly corrupted codeword 

Od for D such that 

1. PreojAc) = 1/9+ (1 - l/q)Pie 0o (C x ); and 

2. A realizes Od with oracle access to Oc- 

Proof Sketch. Given Oc, the following quantum 
algorithm A realizes the desired Od- 
Quantum Algorithm A: 

(1) Start with the state |r)|s)|0')|O d )|0 ( ). 

(2) Change the register order to obtain the state 

|r)|0')|0 d )| S )|0 ; ). 

(3) Invoke Oc- Assume that we obtain the state 
\^l)=Y, z&qm *rAr)\z)\<t>r,z)\s)P). 

(4) Compute detcrministically z ■ s mod q from 
(s,z) to obtain \ip 2 ) = J2z ®r,z\r)\z)\<t> r ,z)\s)\z ■ 
s mod q)\<j)' s z ), where \<j>' s z ) is the garbage produced 
while simulating the deterministic computation in a 
reversible fashion. 

(5) Change the register order so that we obtain ^3) = 

T.z a rA r )\ s )\ z ■ s mod <l)\z)\<t>r,z)\<t>'s,z)- 

It is not difficult to evaluate the value I're c , D (D x ) 
using Pre 6c {C x ). ■ 



4 Complexity of generalized Reed-Solomon 
Codes 

We turn our interest to the question of whether the 
generalized Reed-Solomon codes are efficiently quan- 
tum list decodable against a given bias parameter. 



We point out that a classical approach works well 
when the bias is relatively large; however, for smaller 
bias, there seems little hope in search of an efficient 
quantum list decoder. We also show that the gener- 
alized Reed-Solomon codes have natural connections 
to the noisy polynomial interpolation problem (NPIP) 
of Naor and Pinkas J3| and a lattice problem, which 
we call the bounded distance vector problem (BDVP). 

4.1 A Direct and Simple Approach 

A direct and simple approach toward the quantum list 
decoding of the (g, n,q — n + l) q generalized Reed- 
Solomon codes is the use of the Guruswami-Sudan 
polynomial reconstruction algorithm 0. This ap- 
proach works well after performing measurement on 
all oracle answers when bias is relatively large. 

Lemma 4-1 Let n, q £ N and e,e',S £ (0,1) sat- 
isfy the conditions: 2 < n < q, n — 2 < qe' < 

1 _M / n— 1 _^ _ ^ 1 1 

1 ' 



q — 1, and e' 



1 - 



e 



77 < e < 1 



9 " ; y i+ge' 
There exists a quantum list decoding algorithm for the 
(g, n, q — n + l) q generalized Reed-Solomon codes with 
bias e and confidence S running in time polynomial 
in(n, g, 1/5,1/(1 -6)). 

Proof. Choose numbers n, q £ N and e, e',6 £ 
(0, 1) to satisfy the premise of the lemma. Let 

O be any quantumly corrupted codeword for the 
GRS^'"'^. Now, we want to find all messages x satis- 
fying the inequality Pre^GRS^'™'^) > l/q + e. Fix 
such a message x arbitrarily in the following argu- 
ment. 

Let A E > = {r £ ¥ q | |a riGHS («.».«) (r) | 2 > l/q + e'}. 
It easily follows that \A e > | > (1 — 7 e , e ')g, where j e;e i = 
} }{ q e , , because we have 



- +e < Pre* (GRS x q ' n ' q) ) < ^— 

q ~ ° q 



K-A e ,\ fi +£ , 



q 



Initially, set r to be 0. Using O as an oracle, we 
iterate the following procedure by incrementing r by 
one. First, we make a query on r to the oracle T 
times, where T is the minimal integer satisfying 



T > 



1 + qe' 



1 log 



(1 + ge')(l -5 1/q )' 



Notice that 1 - S 1 ^ > (l-S)/q > since S < 1. 

After receiving each answer from O, wc perform a 
measurement on the computational basis over ¥ q and 
store a pair (r, y) if y is a result of this measure- 
ment. Since there are at most g/(l + qe') values y 
with |ov,2/| 2 > 1/g + e', the probability P r of obtain- 
ing all such y's is bounded by 

P r >l q — ■ (i-l-e'Y >5 1 /", 

1 + qe' \ q J ~ 

where the last inequality follows from the choice of T. 
After the gth iteration, we can store at most g 2 /(l + 
qe') points. Let S e i be the set of all stored points. 
The probability that S E i contains all the points (r, y) 
that satisfy |ckr,y| 2 > l/q + e' is at least Y\ re¥ P r > 

(S 1 ^) 9 = 6. 

Lastly, we should find all univariate polynomials 
p of degree at most n — 1 that lie on at least \A £ '\ 
points in S e >. For this purpose, we run the well- 
known Guruswami-Sudan polynomial reconstruction 



algorithm. Guruswami and Sudan [7] gave a deter- 
ministic algorithm A that solves in time polynomial 
in (m, log q) the following polynomial reconstruction 
problem: on input of integers m, n' , t and m points 
{{xi, yi)}ie[ m ] C F g x F 9 , find all univariate polyno- 
mials p of degree at most n' which lie on at least t 
points, provided that t > yrrvnf. 

The choice of our parameters implies that 



14,1 > (1 - ls,e>)q > J q ] ( Z l ) > V(n-l)\S £ ,\. 

Therefore, the Guruswami-Sudan algorithm correctly 
produces a lisv that includes all the polynomials p of 
degree at most n— 1 that satisfy |a np ( r )| 2 > 1/q + e' 
for at least (1 — 7 e , e ') < Z indices r. Hence, the list also 
includes all messages x for which Pre a (GRS(«' n ' ?) ) > 
l/q + e. □ 

Combining the above lemma with Lemma 13. II we 
obtain the proposition below. 

Proposition 4-2 Let (q,n,9,m,e,5) satisfy the 
conditions: m, n, q S N+, e, 5, 9 e [0, 1], q>2, q m 9 e 
N,n = mq m 9, 29 < 1 + q~ m , and e 2 >t 2 {9- q~ m ) + 

i(l - q- m ) - q- m + q 2m , where t = ( ^f^ j^ \ 

The concatenated code C [n, q, 9] has a quantum 

list decoder with bias e and confidence 5 running in 
time polynomial in (n, q, 1/e, 1/5, 1/(1 — 5)). 

To use the Guru swami-Sudan algorithm in the 
proof of Lemma 14.11 we make the bias e relatively 
large. Is there any other way to list decode the 
generalized Reed-Solomon codes from a quantumly 
corrupted codeword even for relatively small bias? 
We can show in the next proposition that an effi- 
cient quantum list decoder for the generalized Reed- 
Solomon codes with arbitrary bias and high confi- 
dence can be used to solve all NP-problems efficiently 
on a quantum computer with high success probability. 

Proposition 4-3 Let t(n) be any function from N 
to N with t{n) > n for all n S N. If there ex- 
ists a quantum list decoder for the generalized Reed- 
Solomon codes with arbitrary bias and confidence 2/3 
running in t(n) time, then every NP -problem can be 
solved by a certain quantum algorithm with success 
probability at least 2/3 in nP^'tin) time. 

Proof. We want to give a reduction from a certain 
NP-complctc problem to the QLDP with a specific 
quantumly corrupted codeword. To make our proof 
simple, we use the following restricted form of the 
interpolation problem discussed in 

Constrained Interpolation Problem (CIP) 

• Input: three numbers d, e, m € N, a prime q, a 
set A = {(xi,yi), (x m ,y m )} of m points in 
F, x F,, given in binary. 

• Condition: eU(£i) = 1 and d,A(xi) = 2 for any 
i E [2,to] z , where d A (x) = \{y | (x,y) £ A}\. 

• Question: is there any univariate polynomial p 
of degree at most d such that p(x\) = y\ and 
p(xi) = yi for at least e different i's? 

This problem is clearly in NP and is also proven 
to be NP-hard* [§]. Now, let d,e,m <E N, let q be a 

^Actually, to obtain an output of a unique list, we need to repeat 
the above process. 

"^This fact is observed by examining the reduction constructed 
in |^] from the subset sum problem. 



prime, and let A = {(xi, y\), . . . , (x m , y m )} be any 
set of m points in ¥ q x ¥ q . Define D as the set 
{xi, . . . , x m } of code locators and write i = \D\. Note 
that 1 = (m — l)/2 by the given condition. 

Using A, we define a quantumly corrupted code- 
word 6 of the form 6\x)\s)\t) = J2 y ev q a x, y \x)\y © 
s)\t) for every x € ¥ q . Let (x,y) be any point in 
F q x F q . If (x,y) e A, let a x>y = l/y/d A (x); oth- 
erwise, let a x , y = 0. Finally, let e = e(e, m, q) — 
^ - K Note that e > since I < q. 

Now, we claim the following: a polynomial p of 
degree d passes on at least e points in A as well as 
the point {x\, y\) if and only if the presence of p in O 
satisfies 

1 ^ , , 1 1 e 1 

1 1 x£D H 

Therefore, solving the CIP can be reduced to solving 
the e-QLDP with O. Note that it takes only quantum 
polynomial time to realize O from the set A (which 
is given as an input). Applying a t(n)-time quantum 
list decoder for the £-QLDP with confidence 2/3, we 
obtain a valid list of polynomials p. The list size is 
at most t{n). Since the list may contain illegitimate 
polynomials, we need to check if each p passes on at 
least e + 1 different points in A including (xi,yi). 
This quantum algorithm solves the CIP with success 
probability at least 2/3. □ 

Since the inclusion NP C BQP seems unlikely, 
there is little hope to find a "polynomial-time" quan- 
tum list decoder for the generalized Reed-Solomon 
code with relatively small bias. 

4.2 Noisy Polynomial Interpolation Problem 

We point out that quantum list decoding of the gen- 
eralized Reed-Solomon code is closely related to the 
noisy polynomial interpolation problem^ introduced 
by Naor and Pinkas |13| . 

Noisy Polynomial Interpolation Problem 
(NPIP) 

• Input: three numbers k,m,n S N, a prime q, n 
distinct points {x\,X2, ■ ■ ■ , x n } in ¥ q , and n sets 
Si, . . . , S n , each of which consists of exactly m 
elements from F q . 

• Promise: there exists a unique polynomial p of 
degree at most k such that, for each i S [n], 
there exists exactly one element y € Si satisfying 
P(xi) = y- 

• Output: the hidden polynomial p. 

Naor and Pinkas used the NPIP as an intractable 
assumption for a cryptographic primitive, called 
oblivious polynomial evaluation. Now, we prove the 
following. 

Proposition 4-4 If the generalized Reed- Solomon 
codes are quantum list decodable with arbitrary bias 
and confidence 2/3, then there exists a quantum al- 
gorithm that solves the NPIP with probability at least 
2/3. 

Proof. Take n distinct elements X — {x\, . . . , x n } 
and n sets S% , . . . , S n of m elements each. Assume 
that the promise of the NPIP holds with a unique 
polynomial, say, p of degree at most k. We set the 

^This name is actually taken from the paper by Blcichcnbachcr 
and Nguyen [5]. 



bias e to be ~(l/m— 1/q) and let S — U»e[m] 



ft 



Note that k,m,n < q. 

Let us define a quantumly corrupted codeword 
O as follows. For any element x in X, say 
x = Xi for a certain i £ [m], let 0|xi)|s)|£) = 

-ji^Y,yes i s i>y\ x i)\ s ®y)\ t )> where = 1 if y G Si 
and otherwise. For the other elements x outside of 
X, let 6\x)\s)\t) = ^Eyew q \x)\s®v)\t)- We claim 

that the unique polynomial p satisfies the condition 
Preg(p) > 1/q+s. Since \X\ — n and |F — X\ = q—n, 
it follows that 



q ^ 



o 



xGF, 

1 / Th q — n 

- — + - 

q \m q 
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1 lr^l 
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Hence, we conclude that Pre^p) > 1/q + s. 

Now, consider the e-QLDP for the GRS ( "' fe ' 9) with 
O. By our assumption, there exists a quantum list 
decoder A that solves this e-QLDP with high con- 
fidence. To apply this A to find the hidden poly- 
nomial p, we need to realize O from the given in- 
puts (x\, . . . , x n , Si, ... , S„). This is done by gener- 
ating the state 0|xj)|s)|£) as follows: choose y in Sj 
randomly and then generate the amplitude 5i yV /^/rri. 
Therefore, we can solve the NPIP with high success 
probability. □ 



4.3 Bounded Distance Vector Problem 

To construct a quantum list decoder for the general- 
ized Reed-Solomon code against relatively small bias, 
it suffices to give a quantum algorithm to the follow- 
ing lattice problem. 

Bounded Distance Vector Problem (BDVP) 

• Input: m basis vectors b±, b%, . . . , b m £ Z n and 
a radius £ £ Q. 

• Oracle: given a vector v G Z", returns the 
value ||v|| 2 = Ej S [„] tf v ji where v = ( u i> ■■■."») 
and A = £ [0, 1]" is a weight vector. 

• Output: a list that contains all vectors v in the 
lattice L spanned by {&i, 62, • • • , b m }, satisfying 

lHP<e 

Proposition If there exists a quantum algo- 

rithm that solves the BDVP with probability at least 
2/3, then there exist quantum list decoders for the 
generalized Reed-Solomon codes with arbitrary bias 
and confidence 2/3. 

Proof. The following argument is owing to We 
want to construct an efficient quantum reduction to 
the BDVP from the QLDP for the (M, n, M - n + 
l) q generalized Reed-Solomon code. This proves the 
proposition. 

Fix a set Dm = {xi, £2, ■ ■ ■ 1 xm} of M distinct 
code locators in ¥ q and consider the product set 
D M x F ? = {(xi,Zj) I i G [M],j £ [q]}. Let e 
be any bias and assume that a quantumly corrupted 
codeword O for the generalized Reed-Solomon code 
satisfies d\xi)\s)\t) = J2je[ q ] a t,j\ x i)\ s © © <l>i,j)- 
The (special) Lagrange interpolation polynomials cor- 



responding to D M are L t (x) = Y[ je[M] _ {{} in 

F Q [x], which is of degree M — 1, for each i £ [M]. 
Note that every Lj(x) satisfies the following property: 



Li(xi) — and Li{xj) = if j 7^ i. Assume that 

= SfeLi c ifcX fc_1 for certain constants Cjfc £ ¥ g . 
Let a = (ai, a2, . . . , a„) G (F )™ be any mes- 
sage and let p a (x) = 5Zfc=i a kX k ~ 1 be its codeword, 
i.e., the polynomial over F g of degree at most n — 1. 
Now, we assume that Pre^pa) > 1/g + e. Note that 
p a satisfies the Lagrange's interpolation formula: 



M 



M q 



i—1 i—1 j—1 

M / M q 



fc=i \ i=i j=i 



where 6 



1 if p Q (xi) 



and otherwise. Note 



that Ej=i = 1 for each fixed i and a. Let <5^ a ^ = 
(<Jj-" )ij G Z qM be our target vector. We define the set 
L as the collection of all vectors d — (rfy)ij G Z ?M 



1 



1 ^i'i 



and 



Si=i SLi dijZjdk = mod q 



such that 

1. Vi,i' £ [M] \j2 

2. Vfc G [n+l,M] 5 

It is not difficult to show that L forms a lattice. No- 
tice that the target vector belongs to L. A set 
of basis vectors 62, • • • , b m } for L can be found 
easily (see, e.g., 

Next, we define a weight vector A = (Ay)ij G 
[0,1] qM as follows: for each point (xi,zj), let A-y = 
yT — |aa; i;Zj | 2 . The weighted norm \\d\\ of a vec- 
tor c? = (dij)ij £ L is thus calculated as ||<i| = 



E 



'■J ">J A 'J ~ 



2 ). Therefore, 



the square of the weighted norm of equals 

l!^ (a) ll 2 = E^O'C 1 "!^-)! 9 ) 

Pre 6(Pa))- 



M(l 



By taking the radius £ = M(l — 1/q — e), it follows 

that ||5 (a) || 2 < £ iff Pre 6 {p a ) > 1/q + e. 

To solve the QLDP, we first compute a basis vec- 
tors bi,...,b m and a radius £. We then solve the 
BDVP using the weight vector (given by an oracle). 
Let vi,...,Vk be the resulted list of vectors in L. For 
each Vi, find <2j G (F )" such that v t — 5^ by solving 
a set of linear equations. □ 



5 Quantum Search Problems 

We present an example of how to use Proposition ^. 21 
Our example here is a QCMA search problem. Set 
our alphabet S to be {0, 1} in this section. A QCMA 
search problem is a triplet (L, M,p), where L is a lan- 
guage, M is a polynomial-time quantum algorithm 
taking inputs from S* x S* , and p is a polynomial, 
with the following two requirements: 

1. for every x £ L, there exists a witness y £ E p ^ x '' 
such that Prob M [M(x,y) = 1] > 2/3; and 

2. for every x g L, Prob M [M(x, y) = 0] > 2/3 holds 
for any string y G EPd 31 !). 

A solution function f for the search problem (L, M, p) 
satisfies that (i) for every x £ L, ProbM^ (x, f(x j) = 
1] > 2/3 and \f(x)\ — p(\x\) and (ii) for every x ^ 
L, f(x) — _L (a special symbol). Moreover, QCMA 



denotes the class consisting of all languages L over 
the alphabet S such that there exist a polynomial- 
time quantum algorithm M and a polynomial p for 
which (L, M,p) is a QCMA search problem. 

Proposition 5.1 Let s be any positive polynomial. 
The following two statements are equivalent. 

1. For every QCMA search problem, there exist 
its solution junction g and a polynomial-time 
quantum algorithm A such that, for every x, 
Prob^OM 1 ) = (9(x))i] > 1/2 + l/s(\x\). 

2. For every QCMA search problem, there exist 
its solution junction f and a polynomial-time 
quantum algorithm B such that, for every x, 
Prob B [£(x) = f(x)} > 2/3. 

An immediate corollary is stated as follows. 

Corollary 5.2 Assuming that QCMA ^ BQP, for 

every positive polynomial pair (p,p') with p'(n) > 
p(n) for all nefl, there exists a QCMA search prob- 
lem V that satisfies the following: for any solution 
function f for V, no polynomial-time quantum algo- 
rithm finds strings y, on each input x of length n, 

with probability at least 1 — p /( K ^(^) +2 ) suc ^ that the 

relative distance A(y,f(x)) is at most 1/2 — l/p(n). 

Proof. Assume that QCMA ^ BQP. Assume also 
that, for every QCMA search problem, there exist 
its solution function / and a polynomial-time quan- 
tum algorithm A that finds a string y, on each in- 
put x, with probability at least 1 — p'(tJ(^(«)+2) w ^ n 

A(y, /(!))< 1/2 -l/p(n). 

Consider the following algorithm B: on input 
(x,P), run A on input x and then output the ith 
bit of its outcome. The success probability of B is 
lower-bounded by 

Prob^[£(M l ) = (/(x)),] 

^ fl-^rrt-^)(l-max{A(y,/(x)))}) 
V P {n){p(n) + 2) J 

11 1 

2 p(n) p'{n) 

Now, choose a polynomial s satisfying that 
l/s(n ) < l/p(n) — l/p'(n) for all n G N. By Propo- 
sition we have a polynomial-time quantum algo- 
rithm that computes a certain solution function with 
probability at least 3/4. This means that QCMA is 
included in BQP, a contradiction. □ 

Finally, we give the proof of Proposition 

Proof of Proposition 15.11 Let s be any positive 
polynomial. Take two positive polynomials q, t and 
a (t(n), n)2-code family C that is polynomial-time 
classically list decodable and has a polynomial-time 
quantum list decoder D with bias l/s(i _1 (n)) and 
confidence 2/3, producing a list of size at most q(n), 
where n is message length. Without loss of generality, 
we can assume that t(n) > n for all n E N. 

The implication (2) =>- (1) is trivial. Next, we as- 
sume (1) and want to show (2). Let V = (L,M,p) 
be any QCMA search problem. Assume also that 
p(n) > n for all n E N. Note that a standard major- 
ity vote technique can reduce the bounded error prob- 
ability of a quantum algorithm exponentially small 
(without changing the witness size) by polynomially- 
many repetitions. Therefore, we can assume from (1) 
that 

1. for every x E L, there exists a witness y E T, p ^' x '' 
such that Prob M [M(x,y) = 1] > l-2- r (N); and 



2. for every x ^ L and for every y E Y, p (\ x \\ we have 

Prob M [M(x,y) = 0] > 1 - 2- r( -^\ 
where r(n) — t{p{n)) + 3 and M is a certain 
polynomial-time quantum algorithm that depends on 
(p,r,L). 

Now, we define another QCMA search problem V' 
as follows. Let C y denote the codeword, to which y is 
encoded, of block length £(|y|). Consider the quantum 
algorithm M' that behaves as follows. 

On input (x, z), first run the classical list de- 
coding algorithm in polynomial time to pro- 
duce with probability at least 5/6 a list S of 
candidates for C using z as a classically cor- 
rupted codeword (or a received word). Next, 
check if z — C y for a certain y E S. If there 
is no such y, reject immediately. Assuming 
z = C y , run M(x,y) and outputs its out- 
come. 

Let V = (L,M',p). We then claim that V is a 
QCMA search problem. Take any n E N and any 
x E S™. Consider the case where x E L. Since there 
exists a witness y E £ p ( n ), the corresponding code- 
word z = C y forces M' to accept (x, z) with prob- 
ability at least |(1 - T r ^) > 2/3. For the other 
case where x £ L, let z be any string in E'W")). If 
z ^ C y for all y E S, then M' accepts (x, z) with 
probability < 1/6. On the contrary, if z = C y for a 
certain y E S, then M' accepts (x, z) with probability 
< |2-KM) < 1/3. 

Again, by the majority vote technique, we can re- 
duce the error probability of M' to 2~ r{n \ Abusing 
the notation, we use M' to denote this new algorithm. 
By our assumption (1), there exist a solution function 
g for V' and a polynomial-time quantum algorithm A 
such that, for every x E S™, 

A(X, V) = a^ol^lO)!^) + Qtsc,<,l|*)]l>|0a;,l>3 

where || l^x.fc)! = 1 for any choice b E {0,1}, and 
Prob A<i [A(x, V) = (g(x))i] > 1/2 + l/s(n). 

We fix an arbitrary x and, for the meantime, we 
omit subscript x. Let us define the oracle O as follows: 

O|i)|0)|0) = a i , |i)|0)|^,o) + a iil |i)|l)|^, 1 ). 

If there exists a string y satisfying C y = g{x), then 
the presence of C y in O is 

Pre o(Q/) = ^)EKa, w I 2 

1 V^l 12 1 1 

p(n) t-r 1 2 s(n) 

Recall that D produces a list of size at most t(n) 
for message length n. We assume the standard order 
in £ p ("). Consider the following algorithm B. 

On input x (n — \x\), run D using O as an 
oracle to produce a list S' of t{p{n)) candi- 
dates (since the message size is p(n)), which 
include the above y (if x € L), with prob- 
ability > 1 - 2- ri - n \ Run M'(x,z) sequen- 
tially for all z E S' in order. Output the 
first z E S' such that M'(x, z) outputs 1. If 
there is no such z, output _L. 

Let /(x) be the minimal string z in S' such that (i) 
Prob M ' [M'(x, z) = 1] > 1 - 2- r (™> and (ii) for all 



z' < z in S', Prob M ' [M'(x, z') = 0] > 1 - 2-^ n \ 
The probability that B(x) outputs f(x) is at least 

(l _ 2 -<»)) * b(n)) > 1 - 2 -K«)+t(p(«))-i > 3/4. This 

guarantees that we obtain /(#) with probability at 
least 3/4. □ 



6 Further Discussion 

In the previous sections, we have used the model of 
implicit inputs and explicit outputs. When the run- 
ning time of a quantum list decoder is limited to sub- 
linear, it becomes impossible to explicitly output a list 
of messages. Instead, we may allow a quantum list de- 
coder to produces a list of "oracle quantum circuits," 
each of which output each block element of a specific 
message with oracle access to a quantumly corrupted 
codeword. Such a model is called an implicit- output 
model. We briefly discuss a realm of quantum list de- 
coding on this implicit-input implicit-output model. 

Let us introduce the notion of local quantum list 
decoding, analogous to local list decoding. 

Definition 6.1 Let C be any (M(n),n,d(n)) q t n y 
code family with message alphabet E. We say that C 
is locally quantum list decodable with bias e and con- 
fidence 5 if there exists a quantum algorithm A such 
that, for any message length n € N (given in binary, 
not in unary), any O for C, and any x G E" with 
Pretty > 1/q + e(n), the following happens with 
probability at least 3/4: 

1. A(n) outputs a list of descriptions of oracle quan- 
tum circuits D\,D2, ■ . . , Di ; and 

2. there exists an index j £ [£} such that, for every 

i € [n], D°(i) outputs Xi with probability at 
least 5{n) 

Similar to C GRS ~ H , we can define the concate- 
nated code C RM ~ H using an appropriate Reed-Muller 
code and a pro per Hadamard code. Following an ar- 
gument of [17| . we can easily prove that, using Lem- 
mas 13. 21 and 14. II the code C RM ' H is efficiently locally 
quantum list decodable with polynomially-small bias 
and confidence 2/3. Hence, we can conclude: 

Lemma 6.2 There exists a code family of 
polynomially-small rate and constant codeword 
alphabet size that are efficiently locally quantum list 
decodable with confidence 2/3 for polynomially-small 
bias. 

An immediate consequence of this lemma is the 
hardness amplification of quantum circuits, again fol- 
lowing an argument of [T7| . 

Corollary 6.3 There exists a constant d > for 
which the following is true. Let e € (0, 1) and let 
f be any Boolean function from {Q,l} fc l n '. If no 
quantum circuit of size s computes f with probabil- 
ity at least 5, then there exists a Boolean function g 
mapping {0, i} tofc (™) with £(n) € 0{n) such that no 
quantum circuit C of size s' = (k(n)/e) d ■ s satisfies 
Probo[C(x) = g{x)\ > 1/2 + e, where C(x) denotes 
the random variable indicating the observed outcome 
bit of C on input x. 

7 Concluding Remarks and Open Problems 

The theme of this paper is an exploration of quantum 
list decodable code families of polynomially-small rate 
and constant codeword alphabet size. We have shown 



that certain generalized Reed-Solomon codes concate- 
nated with Hadamard codes achieving such require- 
ment are efficiently quantum list decodable when the 
bias of presence is relatively large. Even with such 
large bias, this helps us show the local quantum list 
dccodability of Reed-Miiller codes. Notice that a core 
part of the proofs of these results hea vily relies on 
classical list decoding algorithms of Ej ■ Among 
codes of polynomially-small rate, is there any code 
whose quantum list decoding algorithm is in essence 
different from its classical one? Is there any quantum 
list decodable code that is not even classically list de- 
codable? Does a generalized Reed-Solomon code have 
a subexponential-time quantum list decoder against 
arbitrary bias? Another important open problem is 
to find useful applications of quantum list decoding 
to a wide range of quantum information processing. 
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